Microsoft, Google Researcher Tangle on Security Disclosure

Google researcher Michal Zalewski and Microsoft are tangled in a debate about responsible disclosure focused on an Internet Explorer bug.

It seems Microsoft's security team is tangling with another Google researcher regarding the issue of responsible disclosure.

Google security engineer Michal Zalewski recently reported finding bugs with his new browser fuzzing tool, cross_fuzz. The vulnerabilities spanned a number of browsers, including Internet Explorer, Mozilla Firefox and Opera. A vulnerability in Internet Explorer, however, has caused a dust-up and sparked criticism from Microsoft that Zalewski has "amplified" risk to users.

"Security is an industrywide issue and Microsoft is committed to working with researchers and/or the companies who employ them, when they discover potential vulnerabilities and this case is no exception," said Jerry Bryant, group manager of response communications for Trustworthy Computing at Microsoft, in a statement. "Working with software vendors to address potential vulnerabilities in their products before details are made public, reduces the overall risk to customers. In this case, risk has now been amplified."

Last year, Google employee Tavis Ormandy had a well-publicized spat with Microsoft regarding the disclosure of a vulnerability in the Windows Help and Support Center feature delivered in supported editions of Windows XP and Windows Server 2003. His decision to publish proof-of-concept attack code on the Web created controversy as the bug quickly came under attack.

In this case, Zalewski wrote, while "working on addressing cross_fuzz crashes in WebKit prior to this announcement, one of the developers accidentally leaked the address of the fuzzer in one of the uploaded crash traces." As a result, the fuzzer directory was indexed by Google. On Dec. 30, Zalewski received search queries from an IP address in China that matched keywords in one of the indexed cross_fuzz files.

"These search queries are looking for information on two MSHTML.DLL functions - BreakAASpecial and BreakCircularMemoryReferences - that are unique to the stack signature of this vulnerability, and had absolutely no other mentions on the Internet at that time," the researcher wrote.

In a message to the Full Disclosure mailing list, Zalewski wrote that though Microsoft asked him to delay the tool's release, the discovery of the IE vulnerability by a third party made it important for him to push forward. He notified Microsoft of the issue in July, but contends he received little contact from the company until he followed up with them again in December with his announcement of the tool.

"Following that contact attempt, they were able to quickly reproduce multiple exploitable crashes, and asked for the release of this tool to be postponed indefinitely," he wrote. "Since they have not provided an explanation as to why these issues could not be investigated earlier, I refused."

Microsoft's account differs from Zalewski's; Bryant stated that in July "neither Microsoft [nor] the Google security researcher identified any issues."

"On Dec. 21, a new version of the tool was reported to us along with information about a potentially exploitable crash found by the new version," according to Bryant. "We immediately worked to reproduce the issue with the updated and original tool and are currently investigating it further to determine if it is actually exploitable."

Bryant added that using the Dec. 21 variant of the tool, Microsoft verified the vulnerability and requested Zalewski hold "the public release of this version and information on the vulnerability until we could investigate further. We specifically told Zalewski we were fine with him publishing the two versions of the tool reported in July."

"At this point, we're not aware of any exploits or attacks for the reported issue and are continuing to investigate and monitor the threat environment for any changes," he said.

Zalewski claims that Microsoft confirmed Dec. 29 the crashes were reproducible with the version of the fuzzer it received July 29, and could not explain why it was unable to before. He also contends that the person who accessed the cross_fuzz directory seemed to have no apparent knowledge of the tool itself, and downloaded all the accessible files.

"The pattern is very strongly indicative of an independent discovery of the same fault condition in MSIE [Microsoft Internet Explorer] by unrelated means; other explanations for this pair of consecutive searches seem extremely unlikely," he wrote.

*This story was updated with additional information and commentary.